[ovs-dev] [PATCH] pinctrl: Fix crash on buffered packets hmap double remove.
Lorenzo Bianconi
lorenzo.bianconi at redhat.com
Mon Nov 12 15:04:20 UTC 2018
> 'destroy_buffered_packets()' removes the hmap node which was
> already removed by 'HMAP_FOR_EACH_POP()' producing following
> crash log:
>
> Invalid read of size 8
> at 0x134EDB: hmap_remove (hmap.h:287)
> by 0x134EDB: destroy_buffered_packets (pinctrl.c:237)
> by 0x13AB3B: destroy_buffered_packets_map (pinctrl.c:246)
> by 0x13AB3B: pinctrl_destroy (pinctrl.c:1804)
> by 0x12C0CF: main (ovn-controller.c:916)
> Address 0x8 is not stack'd, malloc'd or (recently) free'd
>
> Could be captured by check-valgrind on the following test:
> '2720. ovn -- IP packet buffering'
>
> CC: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
> Fixes: d7abfe39cfd2 ("OVN: add buffering support for ip packets")
> Signed-off-by: Ilya Maximets <i.maximets at samsung.com>
> ---
> ovn/controller/pinctrl.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/ovn/controller/pinctrl.c b/ovn/controller/pinctrl.c
> index e3ee516e4..21454ab47 100644
> --- a/ovn/controller/pinctrl.c
> +++ b/ovn/controller/pinctrl.c
> @@ -241,8 +241,8 @@ destroy_buffered_packets(struct buffered_packets *bp)
> static void
> destroy_buffered_packets_map(void)
> {
> - struct buffered_packets *bp;
> - HMAP_FOR_EACH_POP (bp, hmap_node, &buffered_packets_map) {
> + struct buffered_packets *bp, *next;
> + HMAP_FOR_EACH_SAFE (bp, next, hmap_node, &buffered_packets_map) {
> destroy_buffered_packets(bp);
> }
> hmap_destroy(&buffered_packets_map);
> --
> 2.17.1
>
Acked-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
More information about the dev
mailing list